Privacy Policy

Privacy Policy. In compliance with current data protection regulations — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, known as the General Data Protection Regulation (GDPR); Organic Law 15/1999 of 13 December on the Protection of Personal Data; and Royal Decree 1720/2007 of 21 December approving the implementing Regulation of Organic Law 15/1999 — we inform you that our company’s Data Protection and Privacy Policy, regarding the processing of your personal data, is as follows:

Controller of personal data processing

The controller is the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and means of processing. In this case, the controller’s details are as follows:

Identity: Salou Booking SL
Tax ID: B55534747
Postal Address: Avda Salvador Vilaseca, 7 Local 1 Salou
Telephone: +34 938 905 479
Email: begin@theoriginhotels.ltd

Salou Booking SL, as data controller and website owner, in accordance with the applicable legal framework, and specifically Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), as well as Law 34/2002 of 11 July on Information Society Services and Electronic Commerce (LSSICE), informs you that we have implemented appropriate technical and organizational measures, in line with the state of the art and the cost of their application, taking into account the risks and nature of the personal data processed, to ensure and protect the confidentiality, integrity and availability of your personal data.

Personal data

Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. A wide variety of information is considered personal data, for example name, contact details, identification number, computer IP, etc.

For more information, please consult the website of the Spanish Data Protection Agency (http://www.agpd.es) or the Catalan Data Protection Authority (http://apdcat.gencat.cat/), among others.

Processing of personal data

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Purpose of data processing

For what purpose do we process your personal data?

The personal data provided by data subjects will be used exclusively for the following purposes:

Contracting products and services: To manage and carry out the provision of services and/or products contracted or requested by data subjects [...]

Enquiries or contact: To handle, respond to and follow up on enquiries and requests made by data subjects and/or to provide information requested by the data subject.

Would you like to work with us?: To assess and manage your CV and the academic and professional data you have provided to us for the recruitment processes you have applied for or those matching your professional profile, and to take the necessary steps for staff selection and hiring, including contacting you to expand on information or arrange an interview, if you have signed up via the “work with us” form and/or provided your CV.

Newsletter: To send marketing communications (newsletters) related to our products and services by any means (email, postal mail or telephone), with information about our services and products, promotions and discounts, invitations to company events, etc., provided that the data subject has accepted and consented to receive marketing communications by subscribing to the Newsletter. The data subject will receive a confirmation email upon subscription.

Communicating changes to the privacy policy: To notify or communicate relevant changes to the data protection and privacy policy, legal notice or cookie policy.

Statistics and surveys: To carry out market research and statistics regarding our products and services, without automated decision-making in any case; and to conduct satisfaction surveys on our products in order to improve the services we offer customers.

The company informs you that your personal data will not be processed for any purpose other than those set out in this section, except where there is a legal obligation or court order. Your personal data will not be subject to decisions based solely on automated processing that produce legal effects concerning you.

How long will we keep your personal data?

The personal data you have provided will be retained for the time necessary to perform the requested or contracted service, and for up to a maximum of 5 years from your last confirmation of interest in us keeping your data.

This is without prejudice to longer retention for compliance with legal obligations and for the exercise and follow-up of any legal actions that may be appropriate. Once the indicated periods have elapsed, the personal data will be deleted.

Lawful basis for processing your data

The legal basis for processing your personal data is the free and lawful acceptance by the user of the legal relationship at the time of accepting this Personal Data Protection and Privacy Policy.

Below we detail the lawful basis for processing your data in relation to each of the processing purposes identified above.

Contracting products and services: The lawful basis is the pre-contractual and/or contractual relationship between the parties for the provision of the services and/or products contracted or requested by data subjects [...]

Refusal to provide the personal data requested to prepare a quotation or to contract our products or services will make it impossible to prepare the quotation or provide the contracted service or product.

Enquiries and contact: The lawful basis is our ability to respond to enquiries freely raised by data subjects. This processing is carried out pursuant to Article 6(1)(a) and (b) GDPR.

Would you like to work with us?: If the data subject has used the “work with us” form and/or provided a CV, the lawful basis is the data subject’s free acceptance and consent to process their personal data and to evaluate and manage their job application, in accordance with Article 6(1)(a) and (b) GDPR.

Refusal to provide the requested personal data will make it impossible to manage and process your job application.

Newsletter: If the data subject has ticked the box to accept receiving marketing communications and/or subscribed to newsletter forms, the lawful basis for sending marketing communications is the data subject’s free and express consent.

The data subject may withdraw consent for this processing at any time, without affecting the lawfulness of processing based on consent before its withdrawal. See the “Rights of data subjects” section.

Communicating changes to the privacy policy: The lawful basis is the appropriateness of informing data subjects of changes that may occur in the company’s privacy policy.

Statistics and surveys: The lawful basis is the data subject’s consent to carry out statistical studies and surveys, pursuant to Article 6(1)(a) GDPR.

Recipients of data disclosures or transfers

For the best fulfilment of the services requested of us, we provide certain data to processors with whom we have signed the corresponding data protection agreements. In such cases, the data provided are only those strictly necessary for the specific activity to be performed.

By way of example only, services that may be contracted to processors include: hosting providers, security companies, tax, legal or advisory services, etc. The above list is for illustration purposes; the company may use services from companies in other sectors in order to provide quality services.

Aside from these cases, no disclosure or communication of data is envisaged either within or outside the EU. Information will also be provided to third parties where required by applicable law or by court order (public administrations, courts and tribunals, law enforcement agencies, tax authorities, etc.).

Rights of data subjects

You are informed that, as a data subject, you have the following rights:

Right of access: anyone has the right to know and obtain information about the personal data we process.

Right to rectification: data subjects have the right to request the rectification, supplementation and/or correction of inaccurate, incorrect or incomplete data.

Right to erasure (right to be forgotten): data subjects may request the deletion of personal data concerning them when they are no longer necessary for the purposes collected.

Right to cancellation: you may request the cancellation of your data.

Right to object: data subjects may object to the processing of their data for marketing purposes, including profiling.

In case of objection, the company will stop processing the data, except for compelling legitimate grounds or for the exercise or defence of legal claims.

Right to restriction of processing: data subjects may request restriction of processing in the cases provided for in Article 18 GDPR:

• When the data subject contests the accuracy of the personal data.
• When the processing is unlawful and the data subject opposes erasure.
• When the data are no longer needed but the data subject requires them for claims.
• When the data subject objects to processing while it is verified whether the controller’s legitimate grounds prevail.

Right to data portability: to obtain personal data in a structured, commonly used and machine-readable format.

Right not to be subject to automated individual decision-making: including profiling that produces legal effects.

Right to withdraw consent: at any time, without retroactive effect.

Data subjects may obtain further information about their rights from the Spanish Data Protection Agency (http://www.agpd.es) or the Catalan Data Protection Authority (http://apdcat.gencat.cat/).

How can you exercise your rights?

You can exercise your rights by sending a written request to the postal address:

C/ Major s/n, Salou (Spain)

or by email to begin@theoriginhotels.ltd with the subject “Personal Data”, attaching a copy of your identity document or any similar means.

Available complaint channels

If you believe your rights have not been adequately addressed, you have the right to lodge a complaint with the Spanish Data Protection Agency or any competent supervisory authority.

Information processed

What categories of personal data do we process?

We seek to request the minimum information necessary to manage the established purposes. Our company may process the following categories of personal data:

• Identification data: first and last name, identification number, country.
• Postal or email addresses and telephone number.
• Economic/financial information for billing and collection.
• Commercial information or company affiliation.
• Data relating to products or services contracted.
• Identification codes or passwords provided by the company.
• Academic and employment data (if you have applied for an offer or sent a CV).
• Web browsing data.

No special category data are processed. The data subject guarantees that the data provided are truthful and undertakes to communicate any changes.

If third-party data are provided, the user declares that they have previously obtained their consent and informed them in accordance with this policy.

Personal data we collect automatically

When the data subject visits our websites, we collect certain information automatically, even if no enquiry or contracting is ultimately carried out. This information may include the IP address, the date and time our services were accessed, information about the hardware, software or internet browser used, the selected language, among others.

This information allows us to improve the services and user experience on the website, and to identify possible fraudulent uses and possible attacks on website security, as well as to compile statistics on website use and effectiveness. Unless fraudulent use or a security threat is detected, this data will not be retained. In no case will automated decisions with legal effects for the user be made based on this information. The legitimacy for this processing is recognised by the GDPR itself, recital no. 49.

Sending communications

Whenever the data subject makes an enquiry, requests a quotation or applies for a job offer and/or sends their CV, the company may contact the data subject by telephone or email. The data subject will receive a confirmation email in case of newsletter subscription or when consenting to receive marketing communications.

Furthermore, the company may send marketing communications related to the products or services it offers, provided explicit and specific consent has been given by ticking the appropriate box or by any other express manifestation of consent.

The data subject may withdraw consent to receive any type of marketing communication at any time by sending a communication under the terms set out in the “Rights of data subjects” section. This option will also be offered in each commercial communication received by email or SMS.

Communication of data by minors

The services offered through the website are only available to adults. Therefore, those who do not meet this condition must refrain from providing personal information on the website.

Links to third-party websites

Our website may contain links to websites of third-party companies and entities. Since we cannot be responsible for how these companies handle the protection of privacy and personal data of their users, we advise you to read carefully the privacy policies of those websites not owned by the company regarding the use, processing and protection of personal data.

Social media

Our company uses social networks to publicise its services and products and to share information and experiences with users and followers. Since we cannot be responsible for how these companies handle privacy and personal data protection, and as each has its own policy, we recommend reading carefully the privacy policies of each social network regarding how they process users’ personal data before using them.

Changes to the privacy policy

The company reserves the right to modify this Data Protection and Privacy Policy in accordance with the processing carried out and the applicable legislation at any given time, of which it will duly inform on the website; therefore, we recommend that data subjects review it periodically to stay informed about how the company processes and protects their personal data.

Questions and doubts

If you have any questions about this privacy policy, please contact us by sending an email to begin@theoriginhotels.ltd with the subject “Privacy Policy”.